Thanks Zdenek, Going back to my books I am learning more thanks to your comment. I think I understand what you are saying, but to work I still need to be able to expand the regular expression
so even with set="cn=..../member*" it would have to be set,expand="cn.../member*". because I have to match the group. I don't have a central admin group.
from what I've seen ",expand" only works with dn. constructs. Is that right? How else can I do this?
cheers, darryl
Darryl Moore wrote:
Thanks, but not quite
if I have a group
cn=mygroup,ou=Groups,dc=....
then I also have a subgroup
cn=admin,cn=mygroup,ou=groups,dc=....
I want the members of the subgroup to have write access to the parent group, and the members of the parent group to only have read access.
Zdenek Styblik wrote:
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the <who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek